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Variable Encryption Scheme for Data Transfer Between Medical Devices 
and Related Data Management Systems 

PROSS-REFERENrF TO RELATED APPLICATIONS 
This application claims priority to and the benefit of the filing date ofU.S. 
Provisional Patent AppUcation Ser. No. 60/193,881. entitled "Variable Encryption 
Scheme for Data Transfer between Medical Devices and Related Data Management 
Systems » filed March 31. 2000; which application is hereby incorporated by reference m 
its entirety. 

FTF.LD OF THE INVENTION 
The present invention generally relates to data management for medical devices. 
Specifically, the invention relates to an apparatus and method for variably encrypting and 
transferring of data transmitted between various devices. More specifically, the invention 
provides for dynamic encryption of patient data, program commands, physician's options 
and choices, and similar parameters at varying levels of security based onthe content and 

nature of tiie data. 

,^^p.r>pnTTxm HF THF INVENTION 
A network of devices having data communications capabilities, that are associated 
with implantable medical devices (IMDs) has been provided for the administration of 
IMDs On the network may be implemented a system and method of bi-directional 
telecommunications between an expert data center, clinicians, and an IMD programmer 

device. utiUzing various types of network platforms and architecture to implement, m the 
programmer, distance-based troubleshooting, maintenance, upgrade, information and is 
administrative services thereby providing an economical and highly interactive system 

for therapy and clinical care. 

The assignee of the present invention has disclosed data management, 
transfer and archiving schemes relating to IMDs and associated instruments such as a 
programmer, remote monitor and similar instruments, which are in data communications 
with the IMDs. The structures and methods of these schemes are generally defined m 
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app,ioatio,»e„«lM--M=dioa.Sys.c»H.vmgImprovedTeleme.,y;-ffled,^ 19. 1999. 
Ser No 09/356,340; "Syslem and Method teWentag In— nRelatmg to an 
r„p.antab.eMe^oalDevice.aRen,oteI^on."fi.edonMy21,19,9.S».N. 

09/358 081; W«« and Method for Remote Troubleshooting. Mamtenance and 
Upgra^eofImplantableDevieeSy,tems,"medonOc.ober26,1999.Ser. 

>I 09/426.741; "TaeUle Feedback for Indio«ing Validity of Comn.nmcat,onX.nlc wth 
::UeM..oal.^c.».edOe.o..29.1999.Ser..o.09M.^^^^ 
and Method for AutomatedlnvoioingofMedicalDevioeSyst^ns. filed October 29. 

,099 Ser No09/429;"Appara»sandMelhodfbrRemoteSelf-Mentifieat.onof 
Z;:.!:.Me<Uca.DeviceSyste™s."filedOe.o,.29.1999.Se.Ko.^^^^^^^^^^ 

and Method .0 Automate Remote Software Updates of M«hcal Devc. 
S Jems " filed October 29. 1999, Ser. No.09/429.960; "Method and Appara*. .0 Secure 
Data WerFromMedicalDevice Systems." filedNovember 2. 1999. Ser^No 
09/431.881 "taplantableMedicalDeviceProgramn^ApparatnsHa™^^^^ 

component Storage CompartmenC filedNovember 4. 1999. Ser, No («/433.477. 
.^emoteDeiive^ Of Software-Bas^ Training For ImplanU^leMedtcalDevrce 
systems." filed November 10, .999. Ser. No. 09/437.615; "Apparah. and Me«rod for 
Remo.eTl»rapyandDiagnosisinMedicalDevicesViaIn.erftcSystems. filed 

December .4. 1999. Ser. No. 09/460,580; "Virtual Remote Monitor. Alert 
»dProgrammingForlmplan.ab.eMediea,DeviceSystems"filedI>ecemberl.l999, 

Ser.No.09/466^84;"lnstrumen.afionandSoftwareforRemoteMomto„n^^ 
Progr<«m»gofImplantableMelicalDevices(IMDs),filedD.cember21.19^,S^^^ 

No.!o/172.937;»App,icationProxyForTelecomm«nicafion-enabledRem^^^ 
Access— .»rffledI>ecember23..999.Ser.No. 60/173.081; toforma^n 
Netwotk Scheme For btenogationOflmplantableMedicalDevicesOMDs). filed 

Decemb«24, ,999. Ser. No. 60/173.064; -Wedical Device GUI For Car*ac 
E,ectrophysiologyDisplayAndDa.aC.mmunicafions."fi.edDecemb«24..999.S^^ 

No.60/173.065;«b..egra.edSoftwareSystemFortaplan.ableMed^D^^^^^^^^^^ 
U^,ationAndMan^ement."fi.edDec«.ber 24. 1999,Ser. NO. 60/173.0^^ 

•Bynamic Bandwidth Monitor And Adjuster For R«no.e Commumcafons With A 
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Medical Device," filed December 24, 1999. Ser. No.60/173,083 "Large-Scale Processing 
Loop For Implantable Medical Devices (IMDs)," filed December 24, 1999. Ser. No. 
60/173,079; "Chronic Real-Time Information Management Systems For Implantable 
Medical Devices (IMDs)," filed December 24, 1999. Ser. No. 60/173,062; "Automatic 
5 Voice and Data Recognition For Medical Device Instrument Systems," filed December 

24, 1999, Ser. No.60/173,071 "Central Switchboard to Facilitate Remote Collaboration 
With M«iical Instruments," filed December 24, 1999, Ser. No. 60/173,080; "System Of 
Notification Of Recalled Components For A Medical Device" filed December 29, 1999, 
Ser. No. 09/474,694; "A Communications System For An Implantable Device And A 
10 Drug Dispenser" December 30. 1999. Ser. No. 09/475.709; "User Authentication In 

Medical Systems Device," filed December 30, 1999, Ser. No. 60/173,822; "Automated 
Invoicing Based On Medical System Usage," filed December 30, 1 999, Ser. No. 
60/173,824; "Responsive Manufacturing and Inventory Control," filed February 04, 
2000, Ser. No. 60/180,289; "Information Remote Monitor (IBM) Medical Device," filed 
15 February 04, 2000, Ser. No. 60/180,285 'ToUow-Up Monitor For Implantable Medical 

Device." filed February 23, 2000, Ser. No. 60/184,221; "Implantable Medical Device 

With Multi-Vector Sensing Electrodes." filed March 1, 2000, Ser. No. 60/186,235; 

"Stimulator For DeUvery Of Molecular Therapy," filed March 07, 2000, Ser. No. 

60/187,280; "Individualized, Integrated, And Informative Internet Portal For Holistic 
20 Management of Patients With In^)lantable Devices," filed March 15, 2000, Ser. No. 

60/1 89,562; "Heart Failure Monitor Quick Look Summary For Patient Management 

Systems," filed March 17, 2000, Ser. No. 60/190,272; "A Universal Interface For 

Medical Device Data Management," filed March 17. 2000, Ser. No. 60/190,465; 

"Telepresence Apparatus And Method For Remote Implantable Medical Device 
25 Implementation And Management." filed March 24. 2000. Ser. No. 60/192,006; "A 

Hand-Held Surface ECG and RF Apparatus Incorporated With a Medical Device," filed 

March 29, 2000. Ser. No. 60/192,943.; all of which are incorporated herein by reference 

in their entirety. 

Data encryption is a valuable tool for protecting privacy and ensuring data 
30 authenticity. Specifically, encryption technology which has wide application in the 
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management of regulated U.en„y and diagnosis daU, is widely used. Mo,c parUoulaxly. 
security relating to medical data is important to prevent tampering, modificatton or data 
oorruption when data is sent over a public network that is potentially subject to 
eavesd«>pping and tampering. Even for dedicated lines and other secure data chamtels, tt 
be desirable to use «K.yption technology, such as digital signatures or checksums to 
»s«retheintegrityoftransmittedmessag«.Suchconlirma.ionbymean.o£d.g,.al 

signatures or ch«teums may be particularly indicated in patient care, where pnvacy, 

accural in instructions, either to a human caregiver or to a remote device, may be 

iH^rtant. For example, the highest level of s«=urity and accuracy may be indicated for 

patient data on which critical therapy and diagnosis depend. On the other side of the 
security spectrum, data that is collected byasensoronareal time basis, for example, an 

Electrocardiogram (ECG). an electroencephalogram, or an lEGM. may be sent with 
mi^nal or »>protecHon and relatively lower accuracy. In addition, toreducttonm 
computing overhead to which real-time datamay be subject according to an embodmient 
ofthe present invention helps to ensure that no distortion of dat^asafimctionotttmcs 

injected mto the real-time physiologic data being transmitted. 

Prior an encrwtion systems are not dynamically adju^le. Further, prior art 
^.ackselecuileencryption devices andmethods which arebasedontitelevel of 

securi^ assigned to tite data to be encrypted AdditionaUy. various networks such as tire 
Internet Wortd Wide Web. and the like do not implement dynamically variable 
encryption systems. Prior art systems or networks typically implement encryption on a 
highly granular level. Typically, these prior art systems will either encrypt aU of the 
3ystemsda.aateitherav«y high level, an intermediatelevelornotatall. Thereare 

™„blems associat«l with each one of these levels. If one chooses to encrypt all their data 
withahighencryptionl.vel.thenfliedatawillbe very secure. however,atege amount 

of bandwidth is needed to transmit fte intom»tion. If one chooses to encrypt all of d-eir 
dataat an intenn»diate level. thend.e»nountofbandwidthreq«ireddecreases.howev«. 

flie security of the information decreases. Moreover, if no encryption is utilizrf. then the 
amount ofbandwidfl, needed is at.minimum, however flie information is not secure. 
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SUMMARY OF THF INVEWTION 
The present invention provides for m encryption apparatus and method in which 
data from an hnplantable Medical Device CIMD") and a data cent« could be transferred 
based on a differentiated encryption system. The encryption scheme allows for the 
differentiation, segregation, and classification of daU at required or needed levels of 
security The present invention relates to an apparatus and method for secmdy 
tnuBferring sensitive information, such as patient infonnation, between a programmer 
and a clinician computer using fflcyption methods and structure implemented m 
hardware or software systems to protect the data ftom eavesdropping, and ensure its 
authenticity and integrity. Therefore, one aspect of the present invention to prov.de a 
method and apparatus to variably encrypt and transfer data sent between various elements 

of adata system. Another aspect of flte present invention is differentiating between data 
requiring a high level of encryption ftom data requiring low or no data encryption. 

Yet another aspect of thepresent invention is to provide a high level of encryption 
i tosensitivedatatopreventunauthorizeduseandormodification. 

A further aspect of the present invention is to provide a method and apparatus to 
variably encrypt and transfer data sent between various elements of a data system through 
various public networks or intemetworics such as flie Internet. 

Another aspect of tiie present invention is to provide an apparams and metiiod, 
0 which utilizes bandwidth more efflcienfly by differentiating between different types of 

data and only encryptingth. data whennecessary. Before transferofthe data, e,fl.er 

ftom an IMD or any other part ofasupportnetworkforthelMDs,theencryptiondev.ce 

beginstodistinguishthedat. to an alternate «nbodimentofthe present mvention. the 
^tionsch«nemay be manually selected according to the pref^encesofauser, such 

25 asapatient. The variable data is then classified based on various levels of secunty 

having distinct encryption protocols. After classification the data is encrypted based on 
todata-slevelofsecurity. Tie data is then tiransmitted. Upon being reived the daUts 
then segregated based on whether the data is encrypted. The encrypted data rs then 
decrypted and may be interpreted by a human clinician or forwarded to a analytical 

30 system, computer, or medical device. 
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RPTPF riRSrRTPTION OF THE DRAWINGS 

Figure 1 is a network architecture diagram of a medical device system in which 
tiie present invention may be utilized. 

Figure 2 is a block level diagram of a variable encryption device. 

Figure 3 is a graphical representation of various types of data which may be 
transmitted in a network system such as that in Figure 1. showing typical error rates. 

Figure 4 is a block diagram illustrating an embodiment of a secure data transfer 
process in accordance with the present invention. 

Figure 5 is a flow chart illustrating a method for securely transmitting sensitive 
infomiation from a programmer to a computer in accordance with the present invention. 

DETAILED DESCRIPTION 
To assist in an understanding of the invention, a preferred embodiment or 
embodiments will now be described in detail. Reference will be made to the drawings, 
which are summarized above. Reference numerals will be used to indicate certain parts 
and locations in the drawings. The same reference numerals will be used to indicate the 
same parts or locations throughout the drawings unless otherwise indicated. 

With reference to figure 1, various types of medical data can be transferred across 
various storage, memory and server platfomis, as provided in the applications listed 
above assigned in common to the assignee of the instant invention. At each stage of 
these data transfer operations; security, integrity, and composition may be compromised. 
Since there is always the potential of eavesdropping on insecure chamiels or networks, 
and the potential for coiruption of data during the transfer process, there is a need for a 
high level of security and accuracy for data transfer. Tliis need is of great significance 
when the data transferred includes patient data, medical device program commands, and 
physician's options and choices concerning diagnosis and treatment plans. If any of this 
data is corrupted, this may be insignificant in patient diagnosis and treatment, but may 
conceivably result in an adverse patient outcome. In addition, regulatory schemes may 
govern the transmission and communication of such data when it is individually 
identifiable. Because these possibilities exist, there is a need to encrypt the data being 
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transferred in a medical data management system to prevent tampering, modification, or 
data corruption through noisy or lossy transmissionmedia. It may even be desireable to 

provide for non-repudiation of some medical information or communications, such as 
with regard to reconciUation of conflicting information, which is also possible through 
asymmetric key encryption schemes. 

Nonetheless, there is one significant drawback to data encryption. The more 
security needed for the data corresponds to a higher level of encryption necessary and 
thus the more bandwidth needed. Networks are typically limited by bandwidth, i.e.. the 
capability ofthe network to transmit the impulses which convey the data across network 

comiections. which maybealimitationofalayerofthenetworkprotocoUfimctiono^ 
stmctural resource imbalance in the network, router or other bottlenecks, high traffic, or 
the limitations of the physical transmission media. Encrypted data typically results m a 

larger amount of data, fiom the standpoint ofthe network, being transferred m 
comparison to the native dataprior to encryption. Tins is because the encrypted data isa 

multiplied productsofthenmnericalvaluesofthe native data and the encryption key. In 
addition, message integrity checks, such as tiie Message Integrity Code (MIC),asecret 
checksum tiiatcam^ot be altered without detection, result in additional datarelative to the 
- nativedata. Even data integrity checksums, such as CRC-32, while not technically 
"encrypted" data, also result in increased bandwidth demands, because tiie native data is 
sent in addition to the data integrity checksum. 

In considering the encryption and data verification systems discussed above, it is 
apparent that in addition to bandwidth concerns, the encryption and decryption^ 

a relatively computationally-intensive endeavor for computing devices, and adds 
overhead to processor fimctioning. Commercial-grade encryption thought suitable for 
electronic commerce transactions, for example, typically uses a key length exceeding 128 
bits Asufficientiylongkeylengthisrequiredtoensuretiiatitremainscomputationally 

infeasible to determine a key fiom abody of cryptotext. Accordingly, die encryption and 
decryptionof data involves the multipUcationof data, represented in numeric form, times 

die otiier large numbers that constitiite the encryption key. Typically, advances m 
computing power provide tiiat computmg devices can cope witii increases in key length, 
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while providing that unauthorized decryption is not feasible. However, for some 
computing devices, particularly medical devices and computer peripherals, this overhead 
may prove non-trivial, and may result in a slowing down of the processor, transmission- 
queue backlog, and dropped packets or data. Therefore, high security encryption may 
prove inconvenient for data security needs, particularly with regard to medical device- 
related computing equipment While increases in computer power and speediielp to 
make this overfiead less onerous, these same increases in computing power increase the 
power of eavesdroppers to decrypt encrypted data, for example, using a 'brute force' or 
exhaustive computational approach. Accordmgly, parties transmitting data and the 
abstract 'bad guys' may be thought of being engaged in an escalating race with regard to 
key lengths and computing power. Because of advances in semiconductor technology 
and chip speeds, by which hardware price/performance ratios are improving about 40% 
araiually, it is generally held that key lengths must grow by at least 1 bit every 2 years. 
Accordingly, data encryption can be expected to add increasing overhead to data 
transmission for the indefinite future. 

The differentiation scheme provided by the present invention enables a user or 
device schema to segregate and classify data at required or desired levels of security. 
This approach enables a system to match a security software scheme that is tailored to the 
security levels applicable to a data set. The variation in encryption may vary according to 
the type of data being transmitted, e.g., real-time physiologic signals from an implanted 
device may not require encryption, while patient records and identifying mformation will 
typically be encrypted. Typically, when a regulatory scheme is in place governing the 
transmission of patient information, there may exist a prohibition on the unauthorized 
dissemination of medical information that may be tied to an identifiable individual. 
Therefore, an encryption scheme according to the present invention may provide for 
encryption of only such data as could lead to the identification by an eavesd^pper of tiie 

patient to which the data pertains. 

Thus patient data, particularly individual patient-identifiable information, 
program commands to remote programmer devices or implantable device controllers, and 
physician instructions and preferences, as well as user autiientication information, would. 
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by default, be subject to encryption using relatively large key lengths, i.e., using 
commercial-grade or higher key lengths and encryption schema. In contrast, other data 
may be regarded as less sensitive, such as real-time sensor, EKG. or ffiGM data. This 
data may by default be sent unencrypted or with minimal encryption. While default 

5 settings may be provided for different forms of data, these default values will preferably 

be subject to change according to user, patient, or clinician preferences, and may also 
change in response to the quality of network transmission and bandwidth availability. 
Accordingly, if more bandwidth becomes more or less available, the extent of encryption 
or the types of data subject to encryption may change. If network traffic becomes noisy 

10 or lossy, encryption or checksum integrity verification may automatically be increased so 

as to provide for protection against garbled data. 

The present invention may be expected to speed up the transfer of data and 
command and control messages to remote medical devices and related peripheral 
equipment. 

This bandwidth and computing overhead demands of encryption often poses the 
undesirable conflicting demands of security versus efficient transmission throughput. 
The present invention recognizes and reduces the conflict between these objectives. 

Typically, not all data on a network needs encrypting. Each network will have its 
information it desires to keep secure and its information that does not require any 
20 security. Therefore, the present invention promotes economics of bandwidth by 

classifying various IMD data based on various levels of security having distinct 
encryption protocols. Hius. data with the highest encryption protocol occupies the 
largest bandwidth. Altematively, less critical data may be transmitted with encryption 
requiring much-reduced bandwidth while data at the lowest security level could be 
25 transmitted with no encryption. Asymmetric encryption is slower, i.e., has ^eater 

overhead, than symmetric systems by which both parties to a communication share one 
identical secret key. Accordingly, m one embodiment of the subject invention, a hybnd 
system is used, by which certain data is encrypted using asymmetric key enciyption, part 
of the data being a symmetric session key for remaining communications in that session 
30 or for later sessions, fiirther reducing computing overhead. 
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In aprefand embodiment of the present invention, a system maybe 
implemented with dynamic configutationoflevelsofenoryption based on tl>e level of 

risk associated with the data being transmitted. The invention enables, inter alia, data 
classification, aggregation, and disseminationbasedonperceivedrisklevels for secure 

tranrfer of data across remote systems in various sized medical data management 
environments. 

Preferably, the invention is implemented in a mamier to provide dynamically 
variable, or "on-the-fly" encryption of tr»«utted data. especiaUy medical device and 
paaentphysiologyda.abetweenvariousnodesinadatacommunicadonsn.twork,s«ch 

as a medical device %1NK" system, as described in the earher-referenced patent 
applications assigned in common to the assignee of this application. 

Figure 1 depicts an implantable medical device communication network generally 
at 110 as may be implemented according to the earUer referenced patents assigned m 

common with this application. The variable erKryption according to the present 
invemion may be implememedby severe oftheMDinterficedevicesutilizedinthe 

network, including various types of programmers and instruments, such as. without 

Umitation. Extender 1 12, Slate 114, or Home Monitor 116. to addition, the vanable 

encryption may be implemented by MD manufacmrer server 120, or clinician computer 

122 Each of the interfice devices and computing devices would support both a software 

implementation of the present invention, or a built-in or p«ipheral hardware 
implementationoftt,epresentinvention.asdescribedwifl.referencetoF.gure2. 

With reference to figure 2, a block diagram of the variable encryption assembly .s 
shown, nus may be implemented as a hardware component device 128, or as software 
modules, the software being installed on an interface device to ttie IMD support netwotk 
ofFigurel. An input is received via RF head 130ftomlMD 132. Thedata 
communication pathway 133 may also be implemented over a physical network 
comrection, with the IMD being replacedbyainterftce device such as 112, 114, 116, or 
n 8 or computing devices 120 or 122 in Figure 1 or a data management sy^ or 
database. Once fl.e data is received into device 128, the classifier 134 detemnnes what 
typeofmformationtttedau represents and tiren outputs the data to tttesegregator 136. 
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The segregator 136 then separates the data based on preset or user-defined security levels. 
Hxe preset levels determine what information is encrypted and at what level of 
encryption. For example, real-time patient monitoring equipment transmissions, which 
do not individually identify a patient and for which instantaneous data variation is not 
critical.maybepasseddirectlytointerleaverl38. After the data for encryption is 
segregated it is then outputted to encryptor 140, which encrypts the data at varymglevels 

depending on pre^toruser-definedlevel of security. After the data is encrypted it is 
transmitted to interleaver 138, for placement into the output data stream to network 
interface 142 for routing to its respective destination of a node on network 144, e.g. a 
particular IP or other network address. Preferably, data processed through encryptor 140 
will be tagged. e.g.,withadummy variable or set bit, to indicate to the recipient that the 

data is subject to the encryption scheme in place, as discussed herein. Each of the 
devices 134, 136. 140. or 138 may be implemented as separate software modules rather 
than hardware devices, for which purposes Figure 2 may be interpreted as a software 

architecture diagram. 

With reference to figure 3, a pictorial representation of the various medical data 
that canbetomsferred along various networks is shown by graphl50.Tlie data includes 

encrypted, variably encrypted, and un-encrypted data; together with the correspond 
error rates, defined as the probabiUty of a error occurring in the transmission of a bit, are 
shown for various types of medically-related data. The medical data may include, for 
example, low sample rate sensors along range 1 52. havmg sample rates on the order of 
approximately 1 sample per minute. These may include parameters such as oxygen 
saturation level andbloodpressure, for example, mese data haveabit error rate on the 

order of 10"^ to 10 \ respectively; and thus may typically be transmitted anywhere 
between one and 100 days before an error occurs. 

Higher sampled sensor signals depicted by range 154, having approximately 512 

samples per second, such as electrocardiogram, cardiac flow, and contractility, for 
example, may be transmitted for between 15 seconds to about20minutes before an error 

occurs withbit error rates in the same rangeoflO-^to 10- Audio/video streaming data 
transmissions, range 1 56. in the range of 1.5-3 KHz or .25-.5 KHz compressed, may be 
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transmitted with errors every 5 to 50 seconds with no appreciable degradation of 
performance and/or function. Digital data, shown by range 158, such as diagnostic 
counters, programmed parameters, and control variables, may be transmitted for 20 
minutes before an error occurs at 10"' bit error rate. Using various error 
correction/detection methods can increase the above mentioned bit error rates. The mean 

error times may be taken into account dynamically in determining whether perfomiing a 
checksum or other integrity check would be warranted, considering the importance of 
instantaneous accuracy in the parameter being transmitted. THe mean error rate, expected 
time between errors, the criticaUty of the information to patient care and outcome, and 
volume of native data as a function of time will preferably all be taken into account in 
determining the encryption level suitable to any given medical data. 

Dynamically variable encryptions could also be implemented to manage data 
from a diverse network of medical devices, as shown in Figure 1 Thus the present 
invention would not be limited to simply to medical data management networks, but 
instead could be implemented on any network. The present invention could be extended 
to interact between various networks or internetworks, including public networks such as 

the Internet or the World Wide Web. 

Figure 4 is a block diagram illustrating one embodiment of a secure data transfer 
structural scheme in accordance with the present invention, shown generally at 220. In 
this embodiment, sensitive information 221 (such as patient information) is transferred in 
encrypted form from IMD any one of the programmers and instruments (1 12. 1 14. 1 16) 
or similar remote device to remote expert data center or clinician computer 122 across 
data communications media/comiection 226. While a representative use of the present 
mvention is illustrated using communications between Programmer (1 12, 1 14. 1 16) and 
clinician computer 122, any combination of clinician devices, IMD interface devices, 
central database or expert system servers, medical device persomiel personal computers 
or servers, and patient monitoring equipment, or any other data fransmission device may 
be used in accordance with the present invention. In the illustrative example. 
Prograrmner(112. 114, 116)maybeany instrument capable of obtaining, storing, and 
transmitting medical and administrative infomiation. including sensitive infomiation 221 . 
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Programmer (112. 114. 116) is capable ofbeing coupled to one or more IMDs 132. IMD 
132 obtains certain information, possibly including sensitive information 221 from the 
patient, then transfers the patient information to programmer (112. 114. 116). Data 
communication media 226 could be configured to include a telephone line comiection. a 
direct network comiection. an intranet comiection. an internet comiection. wireless LAN. 
fiber optic network a satelUte comiection. a laser or infrared system, any other suitable 
network protocol connection, or a combination thereof. 

Key source 228 provides both programmer (112, 114, 116) and clinician 
computer 122 with encryption/decryption keys for encrypting/decrypting sensitive 
information 221. In one embodiment of the invention, key source 228 disfributes 
symmetric encryption/decryption keys. In another embodiment of the invention, key 
source 228 distributes asymmetric keys (i.e., pubic/private keys). If the 
encryption/decryption algorithms employed by the invention are standard algorithms 
known to the pubUc, additional security measures must be taken in the disbursement of 
the keys from key source 228 to programmer(112, 114,116) and 122 in order to ensure 

privacy. In addition to sensitive patient information, the invention may also securely 
transfer other forms of sensitive information 221. including physician data, customer 
data, and/ormanufacturer data to remote export data center 122. If programmer (112. 
114, 116) is transmitting real-time patient physiologic infomiation relayed from an 
implanted IMD, or is transmitting other information that camiot be identified to an 
individuaUclinician monitoring or attending computer 122 may select that data be sent 

inanunencrypted form; which instructionmay be sent to programmer(112. 114, 116). 
Preferably, this instruction to cease transmitting in encrypted mode will itself be 
encrypted, to provide authentication of the command and prevent a false instruction to 
this effect by an eavesdropper accessing communication media 226. Alternatively, 
programmer(112. 114. 11 6) may be programmed to transmit all real-time physiologic 
data in an unencrypted fomi. where this would not subject patient-identifiable 

information to disclosure. 

Before sensitive information 221 is transmitted across data communication media 
226. sensitive information 221 is encrypted by encryption engine 230. Encryption engine 
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230 may be implemented in l«rdware or software, although may preferably be 
implemented in software to allow &r ease of upgrades to different algorithms, key 
lengths and key variation. Encryption engine 230 is a monoUthio representation of the 
hardware device or software implementation of device 128 of Figure 2. Encrypt, on 
engine 230 encrypts sensitive information 221 by use of an encryption algorithm and a 
key to essaKO, encryption engine 230 converts sensitive information 221 toj. random 
scrambled message. Encryption engine 230 produces different encrypted scrambled 
messages depending on the specific value and fomtatoftheencryptionkey. Vanous 

encryption algorittuns may be utilized within ti>e ftamewotk and context of the invention. 
In one embodiment, the invention utilizes a symmetiic key cryptography type algonflm. 
(ie ,hesamekeyisusedbyprogrammer(112.114,n6)andcliniciancomp»terl22to 

encrypt and decrypt sensitive mfcrntation 221). Examples of symmetnc key 
cryptography types include Data Encryption Standard (DES) and International Data 
Encryption Algorittun (IDEA), htanottterpreferral embodiment, the invention utihzesa 

public key/private key cryptography encryption type algorithm (i.e.. different keys are 
used by programmer (112. 1 14. 1 16) and clinician computer 122 to encrypt and d»>rypt 
sensitive infom,atio„ 221). Examples of pubUc key cryptography «Kryption types 
include «» Rives., Shamir. Adleman algorithm (RSA) and Pretty Good Privacy (PGP). 
In one embodiment of subject invention, encrypted communications are effected 
„singasessionkey,applicabletoasingle communication session betweenadevice, such 

as programmer (1 12, 1 14, 116), and clinician computer or data center 122. Under tins 
embodiment, encrypted infbnnationmay be sent after encryption wititthesessionkey as 

a virtMly tiumeled communication, while otiier less sensitive or real-time information 
may be sent in plain-text or native form, to addition to encryption, encorption engme 230 
may implement a non-encrypted message integrity checksum, e.g., CRC-32, or a key 

basedMIC. ^. , 

in one embodiment of the invention, encryption engine 230 also adds a digital 

signature to sensitive infonnation 221 transmittedby programmer (112, 114. 116). As 

stated earUer, digital signa«»es are useful in validating the authenticity of a 

communication. A digital signature can be used in conjunction with a message 
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containing sensitive information 221 by first creating a message digest (a 128 bit hashed 
representationofamessage) with the sender's(e.g.. programmer 112. 114, 116) private 
key attaching the message digest to the message, then encrypting both the message 
digest and the message with the recipient's (e.g., clinician computer 122) public key. The 
recipient reverses these steps, first decrypting the message with the recipient's private 
key, then decrypting the signature with the sender's public key. 

After sensitive information 221 has been encrypted, the encrypted sensitive 
irrfomiation is transmitted to clinician computer 122 via data communications media 226. 
In altemate embodiments, data communication media 226 is in^lemented via a telephone 
line comiection, an intranet connection, an internet comiection, wireless LAN. fiber optic 
network, a satelUte comiection, one or more satellite comiections, or a combination 
thereof. Data communication media 226 may be exposed to security vulnerabilities, for 
example, during the transmittal of sensitive infomiation 221 fi-om programmer (1 12. 1 14. 
1 16) to clinician computer 122. By encrypting sensitive information 221 before 
transmission, the confidentiaUty of the information is preserved. 

Clinician computer 122 receives the encrypted sensitive information 221 
transmitted by programmer(112. 114. 116). In one embodiment of the invention, 
clinician computer 122 is a second remote medical instrument 221 . Decryption engine 
234 resides on clinician computer 122. and decrypts the encrypted sensitive information 
using a decryption algorithm corresponding to the encryption algorithm and a decryption 
key corresponding to the encryptionkey that was used to originally encrypt the message. 

•n,e output of decryption engine 234 is the origmal. unencrypted sensitive infomiaUon 

221. 

Another embodiment of a secure data transfer stmctural scheme in accordance 
with the present invention may involve the transfer of encrypted sensitive infomiation 
from clinician computer 122 to remote instmment 1 18. This sensitive or critical 
information may include, for example. IMD instmctions or IMD software upgrades. 

In this embodiment, simply the reverse of that depicted in Figure 4. a clinician 
computer includes an encryption engine, such as that depicted inFigure 2. for encrypting 

sensitive information prior to transfer to a programmer via a data communications 
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media/connection. In alternate embodiments, data communication media is implemented 
viaatelephonelinecomiection, an intmetcomiection. an internet comi^^^^^ 
comiection, a constellation of satellite comiections, or any combination thereof. Hie 
programmer includes a decryption engine for decrypting encrypted sensitive information 
after encrypted sensitive information has been transferred by clinician computer. The 
key source provides both programmer and clinician computer with encryption/decryption 
keys for encrypting/decrypting sensitive information. 

This embodiment of the invention is useful when sensitive information, such as 
patient data, manufacturer data, or openttional data, needs to be securely transferred 

clmician computer to programmer. For example, a patient monitored by a first 
programmer may moves to a different part of the country, and switches health care 
providers. Sensitive information from the patient can first be transferred from the first 
programmer to chnician computer, as previously illustrated in Figure 4. Then, sensitive 
information can be transferred from clinician computer to a second programmer at the 
new health care provider. Accordingly, sensitive information can be quickly and securely 
transferred between two or more programmers, via clmician computer. 

hi another application of the invention, the manufacturer of programmer (112. 
1 14 1 16) may wish to update software applications or other manufacturer specific 
information on programmer (112. 114. 116). Since manufacturer specific information 
may include sensitive, proprietary information such as software updates or new software 
modules, it is imperative to the manufacturer that this sensitive, proprietary mformation 
be carefiilly protected. Rather than manually installing the manufacturer updates at a 
programmer location (which may be time consuming depending on the location of the 
programmer), the invention enables the secure transfer of manufacturer updates using the 
various encryption techniques or equivalent structure and methods disclosed herein. 

Preferably, the invention wiU be hnplemented with bi-directional data 
transmissionofencryptedsensitiveinformationbetweencUniciancomputer 122 (or other 

network node) and programmer (112. 114. 116) (or other IMD interface). 

In the preferred embodiment, programmer (112. 114. 116) contains both 
encryption engine 230 and decryption engine 234. Similarly, cUnician computer 122 
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contains both encryption engine 230 and deciyption engine 234. Key source 228 
provides both programmer (1 12, 1 14. 1 16) and clinician computer 122 with 
encryption/decryption keys for encrypting/decrypting sensitive information 221 residing 
on programmer (1 12, 1 14, 1 16) and/or clinician computer 122. Sensitive data is 
transferred between programmer (1 12, 1 14, 1 16) and clinician computer 122 via data 
communication media 226. In alternate embodiments, data communication media 226 is 
implemented via a telephone line comiection, an intranet connection, an internet 
comiection, wireless LAN, fiber optic network, a satelUte comiection, a constellation of 
satellite coimections, or any combination thereof 

In one application of the embodiment shown in Figure 4, direct transfer of 
encrypted sensitive information 221 can occur directly between two or more 
programmers 1 18. In other words, clinician computer 122 can be a second programmer. 
Since, in this example, each programmer (112. 114. 116) supports bi-directional secure 
data transfer (i.e., includes both an encryption engine and a decryption engine), a separate 
clinician computer 1 22 is no longer needed to support communications between two or 

more programmers 222. 

Figure 6 is a flow chart illustrating a method for securely transmitting sensitive 
patient information fiom programmer (112. 1 14. 1 16) to clinician computer 122 in 
accordance with the invention, as shown generally at 280. The method begins by 
generating a first encryption key for distribution to programmer 222. as shown at step 
282. At step 284, a second encryption key is generated for distribution to clinician 
computer 122. Both the first encryption key and the second encryption key are generated 
by key source 228. shown in Figures 5-7. A number of different previously discussed 
algorithms may be used to generate the first encryption key and the second encryption 
key In one embodiment of the invention, the first encryption key and the second 
encryption key are the same (i.e.. symmetric key encryption). In anotiier embodiment of 
the invention, the first encryption key and the second encryption key are different (i.e.. 
public/private key encryption). In both embodiments, tiie first encryption key and tiie 
second encryption key are related so tiiat an encrypted file produced by the first 
encryption key may be decrypted by tiie second encryption key. 
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At step 286. sensitive information, after being designated or segregated from non- 
sensitive data, such as real-time monitoring data residing on programmer (11 2. 114. 116) 

is encrypted with the first encryption key. An encryption algorithm resident on 
programmer (112. 114, 116) takes sensitive information 221 and the first encryption key 
as inputs and produces a file containing the encrypted sensitive information as an output. 

Next, encrypted sensitive information 221 is transferred firom programmer (1 12. 
1 14. 1 16) to'lhe clinician computer 122 via. data communication media/connection 226. 
as shown in step 288. In alternate embodiments, data communication media/comiection 
226 is accomplished via a telephone line comiection, an intranet comiection. an internet 
comiection, wireless LAN, fiber optic network, a satellite comiection. a constellation of 
satelUte comiections. a global positioning system (GPS) comiection, or any combination 
thereof As stated earUer. data communication media/comiection 226 may experience 
security vuhieiabilities which compromise the security of sensitive infomiation 221 as 
the information is transmitted ftomprogrammer(112. 114. 11 6) to clinician computer 
122. By encrypting sensitive information 221 before transmission, the confidentiality of 
the information is preserved during transmission on data communication 

media/connection 226. 

Finally, encrypted sensitive information 221 now residing on clinician computer 
122 is decrypted with the second encryption key. as shown at step 290. Decryption 
engine 234 takes encrypted sensitive information 221 and the second encryption key as 
input, and generates the original, unencrypted sensitive information 221 for use by 

clinician computer 122. 

It will be appreciated tiiat the present invention can take many forms and 
embodiments. The true essence and spirit of this invention are defined in the appended 
claims, and it is not intended that the embodiment of the invention presented herem 
should limit the scope thereof 



18 



